Our RES Risk Assessment Software allowed simulation of scenarios and impacts, saving money and reducing risk.
In this study our client was a utility supply authority, pivotal in its marketplace and answerable to multiple industry participants. It is required by them to uphold strict codes of governance, which include effective business continuity management. As part of a periodic review, INONI was invited to produce and present the next generation of Business Impact Analysis (BIA) and propose a new Business Continuity Strategy (BCS) to reflect the organisation’s rapidly evolving operation, infrastructure and technology.
Our objectives for the project included:
- Producing a time-lapse simulation of the business, generating Recovery Time Objectives (RTOs) for all services, assets and supplies, and accurately reflecting stakeholder tolerance to disruption under different seasonal conditions.
- Using the model to compare the effectiveness of alternative strategies and identify which was the most appropriate and cost-effective under the circumstances.
- Reflecting future changes and re-run the model with minimum intervention and in so doing, update both the BIA and BC Strategy data.
The project began conventionally with a presentation to management followed by site inspection and a series of one-to-one meetings with key personnel. INONI’s consultants collected a substantial body of stakeholder, asset and dependency data, organisation charts, industry and IT systems information, customer characteristics and copies of current business continuity and disaster recovery plans. This information was input into RES via its graphical user interface, with each business entity or asset represented as a Risk Assessment Node.
A part of this analysis involved assessing each stakeholder’s tolerance to loss of service and determining how and when the organisation might be harmed if this threshold was exceeded. This data was represented as service level impact profiles agreed by senior staff in a series of meetings. Composite impacts and seasonal and intra-day variations were also discussed, giving rise to a unique profile for the organisation, covering all impact types.
Note that the subject organisation in this case was a not-for-profit concern and this was reflected in its impact profile, placing emphasis on reputation, legal exposure, staff, productivity and funding impacts. RES provides the ability to record intangible aspects such as these as indices or if appropriate, assign financial values to any or all impact types.
In general, restoring services to customers in acceptable timeframes means underlying business and operational components also need to be restored in a set sequence. RES captures and represents interdependencies within the organisation and also externally in the supply chain. These links were integrated with the stakeholder and service model as RES layers.
The layers were populated with RES nodes and linked with dependencies to reflect actual relationships within the organisation. Failures affecting any node now flow up through the model, depleting services and attracting impact.
A library of scenarios relevant for the business and its location were added to the model, simulating denial of services or destruction of assets in patterns that reflected major disruptive events. Running the model with one or more active scenarios transmitted the effects of service depletion along dependencies, ultimately affecting stakeholders and building impact in distinct and realistic patterns that bore scrutiny.
RES Map showing nodes and dependencies
Various strategies were proposed and reflected in the model. RES allows them to be fully or partially implemented or withheld in any combination, and with varying lead times - often a factor affecting potential cost. We evaluated five detailed strategies in this way, taking account of their outlay, complexity and RES impact profile for each of the representative worst case scenarios. These included:
- Contracted hot-site IT DR with work area recovery for 30% staff in 24 hours
- Hybrid replication using DR for sub-critical IT and 30% work area recovery
- Replica systems and buildings (do everything)
- Do nothing
Calculated cumulative impacts for 10-day RES simulations following Destructive Site Loss were as follows*
- Do Nothing - £968,705
- Conventional DR - £229,224
- Hybrid Replication - £82,608
An important caveat on all numbers like these arising from simulations is that they are of course less accurate than the raw data used to create them. In this case, dependency and impact profiles were all based on interviews with staff and this soft data then input into the model. Notwithstanding this, the algorithms used by RES have been designed to converge on hard organisational characteristics, such as loss capacity for each impact type, rather than by upward calculation of losses.
The project quantifies the reduction in impact and exposure to risk that can be achieved by adopting a basic disaster recovery solution. In this case replication reduced this still further, cutting the impact felt over the 10 days immediately following a major incident by more than 90%. In this case, the costs associated with each of the latter two options were found to be similar and the hybrid DR solution was recommended by INONI as the preferred solution.
Specific findings included:
- Hybrid replication offered the most cost-effective solution in this particular case
- We were able to reasonably compare the effects and merits of various strategy combinations
- We were able to repeat the experiments and support the business case in presentations
- We provided quantified RTOs for all nodes and entities, validating and informing Business Continuity Plans
- We were able to explore other scenario variants, further validating the strategy
- We can place values on individual equipment failure and determine where protection is optimised
- RES remains in place and accessible. It can be used to simulate real events in a crisis.
Incremental Impact Profile
Overall, the programme was considered highly successful, generating important insights. These included:
- Editing the model and re-running the risk portfolio was straightforward
- The graphical online map was clear and easy to follow by all staff
- RES is scalable. It allows most organisational and stakeholder behaviours to be simulated
- The entire programme took less than 2 months including interviews, reporting and presentation